Thanks again for clearing the doubt. The requirement is not coming from LOB, its the rampup team which is suggesting to create the mitigation controls now. Currently only the dev system is configured and the risks findiings will be too high in Dev system.

I am more inclined to run the risk analysis in Productions system and create the mitigation control as the risks identified in Produciton.

Hi,

Check with your LOB. They are the right people to decide. Not the community

Regards,

Raghu

Let me share my experience .

First point 251 risk are too much .You should identify that if all 251 risk making sense .If yes ,then you should first go with remediation .Try to clean up so that during analysis number of risk comes down .

Last resort should be Mitigation .

In many case there would be a compliance or Internal Control team that would be owning Mitigation Control .Kindly check in your case if you already have some kind Mitigation control or Internal Control which you can map to your Risk .

Thanks & Regards

Asheesh

I completely agree with Asheesh .

i am also involved with one of the Ramp up teams for AC10 and this is the correct approach that we would have to look at as creating mitigation for all the risks is only the feasible solution .

Once we have the roles cleaned up , this should also help to stay clean. Even after all the roles are cleaned up and we still have some risk , then we would have to look at mitigation process for all these risks.

Dear Asheesh, Raghu and Vikas,

I also agree with all of you. So it means we should only start creating mitigation controls after Go-Live phase. As than, we have the running Production system and can have the actual risks existing in our landscape.

As of now with only the development system running, its not possible to get the risk analysis running and find the risks that will come in Production system.

I will follow the process after the Production system running :

1. Run the risks analysis report to find all the risks.

2. Try to remediate the risk by cleaning up the roles.

3. Send the remaining list of risks(with affected users and roles) to Process owners via email. They can suggest 2 things;

a) to remove the authorization from roles/user if its too risky for user to have; or the user should not be authorization to use that tcode.

b)If not possible, they will suggest security admin to create the mitigation control for it and mitigate.

Please confirm if this is not the correct approach.

Thanks for your replies.

Hi ,

May be for creating MC you need not to wait for production .Ths is a separate exercise which can start in parallel and basically

compliance team will be responsible not security team .

You can kkep MC catalog ready so that in a situation you are not able to remediate ,you need to wait for MC to be created .

Keep MC catalog ready and used it as a last resort .

Thanks & regards

Ashish

Dear Ashish,

It means we can forward standard risks as in the global ruleset to the Mitigation control team to review them. But will mitigation control team can review the risks and decide on mitigation controls without knowing the risks applicable to which users in production system.

My understanding is MC can be created for a Risk without knowing to which user it belong .

Lets take a example :

ME21N and F110 will always a risk ,no matter whisch user is performing these two t codes .

So MC for this can be made handy and when ever user get it they can assign .

But during assignmet of MC to a risk and a user u need to see how efficient MC is going to be for that user .

If you find its not very much efficient for that user scenario you need to go for LOCAL Mitigation Control .

Hope i have answered your question,

Thanks & Regards

Asheesh